payment fraud

EAST has published its second European Fraud Update for 2019. This is based on country crime updates given by representatives of 16 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 48th EAST meeting held at Europol in The Hague on 5th June 2019.

Two countries reported mobile wallet fraud in relation to Apple Pay. One reported that mobile wallets are fast becoming the new money mules – fraudsters are enrolling cards that are not yet associated to a specific wallet. Another country reported that fraudsters are obtaining security codes through phishing, with which they can then install a mobile banking app on their own smartphone, using the victim’s data. One country reported that fraudsters are increasingly using mobile call centres to call customers from numbers that appear to be genuine, and then are pretending to be bank security staff. This enables them to obtain key personal information and data.

Five countries reported fake websites, mainly in China and other Asian countries – customers place orders for goods, which are never fulfilled, or for services which are never provided. One country reported that the quality of fake websites and fake emails is constantly improving, with fewer language errors and better design and formatting.

ATM malware and logical attacks were reported by 6 countries. They all reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. In most cases the attacks were unsuccessful. To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published 5 related Fraud Alerts.

Card skimming at ATMs was reported by eighteen countries. Five countries reported the continued usage of M3 – Card Reader Internal Skimming devices. The most recent variants are made of transparent plastic. Skimming attacks on other terminal types were reported by six countries, three of which reported such attacks on railway ticket machines. To date in 2019 EAST EGAF has published 8 related Fraud Alerts.

Year to date International skimming related losses were reported in 37 countries and territories outside SEPA and in 4 within SEPA. The top three locations where such losses were reported remain Indonesia, India and the USA.

Eight countries reported cash trapping attacks, two of them reporting decreases in such attacks. Five countries reported card trapping attacks, two of them reporting that such attacks are increasing.

Ram raids and ATM burglary were reported by 10 countries and 9 countries reported explosive gas attacks, 4 of which reported that such attacks are increasing. Seven countries reported solid explosive attacks, two of which are seeing increases in such attacks, and one reported an attack carried out by criminals armed with assault rifles. The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings. To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published 7 related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

The 48th EAST Meeting (National Members) was hosted by Europol at their Headquarters in The Hague on 5th June 2019. Presentations were made by the European Cybercrime Centre (EC3) and the European Serious Organised Crime Centre (ESOCC).

National country crime updates were provided by 18 countries, and a global update by HSBC. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

EAST Development Director Rui Carvalho participated at the first P3 CyberFraud training on 8th May 2019. The event, which was organised by the European Cyber Crime and Fraud Investigators (ECCFI), ran from 7-9 May 2019 and took place in Fleming’s Conference Hotel in Vienna. It was the first training session of the P3 Cyberfraud Project, which is funded by the ‘European Union Internal Security Fund – Police’.

The majority of the participants were from Law Enforcement Agencies and there was representation from some key private organisations. There were 71 registered participants from 24 countries. Rui Carvalho was actively involved in the discussion and gave a presentation from the EAST perspective entitled “Stats and Trends on Terminal and Payment Fraud”.

ECCFI is a registered, non-profit association. In addition to supporting the P3 Cyberfraud Project, the purpose of ECCFI is to promote cyber security in Europe, especially secure payment methods. In addition to cyber security, the purpose is to assure online security by bringing together different authorities as well as the private sector security professionals.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and was attended by key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors, Payment Providers and Solution Providers.

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere. EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings. There are 210 EAST Associate Member Organisations from 53 countries and territories.

The 47th Meeting of EAST National Members was hosted by SIBS at the SANA Metropolitan Hotel in Lisbon on 6th February 2019. National country crime updates were provided by 21 countries, and a global update by HSBC. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics. The EPTF has recently published Payment Fraud Terminology and Payment Fraud Definitions. The aim is for the payment fraud terminology, and related payment fraud definitions, to be adopted globally when describing or reporting payment and transaction fraud.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and was attended by key representatives from Card Issuers, Law Enforcement, Payment Processors, Payment Providers and Solution Providers.

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere. EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings. There are 202 EAST Associate Member Organisations from 52 countries and territories.

EAST Executive Director Lachlan Gunn presented at a CyberSouth Regional Workshop on Business Email Compromise (CEO Fraud) and Electronic Payment Fraud on 13 November 2018 . The event, which ran from 12-14 November 2018, was held at the Directorate for Investigating Organised Crime and Terrorism (DIICOT) in Bucharest, Romania and was implemented by the Council of Europe. The CyberSouth project focuses on cooperation on cybercrime in the Southern Neighbourhood and aims at reinforcing the capacities of specialised units with responsibilities relating to tackling cybercrime and dealing with electronic evidence.

The workshop focused on increasing the knowledge of the participants on the different trends and typologies of online fraud and of electronic payment fraud in order to assist with strengthening the capacity of the criminal justice authorities in the CyberSouth countries to search for, seize, and confiscate the illicit proceeds of cyber-criminals in the target areas. Cybercrime investigators and prosecutors from the following Southern Neighbourhood priority area countries attended the event: Algeria; Jordan; Lebanon; Morocco; Tunisia.

National representatives were also present from Germany, Israel, Romania and the USA. Europol and Eurojust were present and the private sector was represented by American Express, BIT Defender and EAST.

The EAST presentation covered the structure and methodology used by EAST to help improve public/private sector cross-border cooperation in the fight against organised cross-border crime, and then shared information on the latest statistics and trends relating to logical (black box) attacks against ATMs, and also on malware used to enable jackpotting (cash out) at ATM locations. The latest fraud definitions produced by EAST were also shared and it was advised that an updated version of these will soon be available. These definitions are aimed at helping law enforcement agencies, private sector fraud investigators and other stakeholders to standardise reporting terminology when following up on incidents.

The Cybercrime Programme Office of the Council of Europe (C-PROC), based in Bucharest, is responsible for assisting countries worldwide in the strengthening of their criminal justice capacity to respond to to the challenges posed by cybercrime and electronic evidence on the basis of the standards of the Budapest Convention of Cybercrime. This is the only binding international instrument on this issue and serves as a guideline for any country developing comprehensive national legislation against Cybercrime and as a framework for international cooperation between State Parties to The Convention on Cybercrime of the Council of Europe (CETS No.185).

EAST has published its third European Fraud Update for 2018. This is based on country crime updates given by representatives of 15 countries in the Single Euro Payments Area (SEPA), and 3 non-SEPA countries, at the 46th EAST meeting held in London on 9th October 2018.

Payment fraud issues were reported by fourteen countries. Seven countries reported card-not-present (CNP) as a key fraud driver. One country reported merchant manipulation of settlement files to force through authorisations on POS terminals – once the forced transaction is through on a card the merchant cashes out using it. One country reported malware related to two APT attacks – some Chinese criminals are under observation in connection with them. Another country reported impersonation fraud relating to bill payments – possibly involving collusive postal workers. To date in 2018 the EAST Payments Task Force (EPTF) has published six Payment Alerts covering phishing, malware on mobile phones, fraudulent mobile Apps, CNP fraud and Technological fraud. The EPTF has recently published payment terminology and definitions.

ATM malware and logical security attacks were reported by seven countries. Four of the countries reported ATM related malware and six countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published eleven related Fraud Alerts.

Card skimming at ATMs was reported by fourteen countries. The overall trend is downward, as the recently published EAST European Payment Terminal Crime Report covering January to June 2018 highlights. The usage of M3 – Card Reader Internal Skimming devices was reported by four countries and one country reported the use of M2 – Throat Inlay Skimming Devices. Skimming attacks on other terminal types were reported by five countries, three of which reported such attacks on unattended payment terminals (UPTs) at petrol stations. One country reported that a series of shimming devices at POS terminals had been detected and taken down. To date in 2018 EAST EGAF has published twelve related Fraud Alerts.

Year to date International skimming related losses were reported in 44 countries and territories outside SEPA and in 6 within SEPA. The top three locations where such losses were reported remain Indonesia, the USA and India.

Six countries reported incidents of Transaction Reversal Fraud (TRF), one of which reported a new attack variant where the criminals use a ‘chip-on-a-strip’. To date in 2018 EAST EGAF has published five related Fraud Alerts.

Ram raids and ATM burglary were reported by eight countries and eight countries reported explosive gas attacks, one of which reported that two people had been sent to hospital due to related smoke inhalation. Five countries reported solid explosive attacks. The spread of such attacks has long been of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings. One such attack resulted in the death of a person, the first time that this has been reported. To date in 2018 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published seven related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

The 46th Meeting of EAST National Members was hosted by the LINK scheme in London on 9th October 2018. National country crime updates were provided by 18 countries, and a global update by HSBC. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

EAST has published its second European Fraud Update for 2018. This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 3 non-SEPA countries, at the 45th EAST meeting held in The Hague on 6th June 2018.

Payment fraud issues were reported by fifteen countries. Seven countries reported card-not-present (CNP) as a key fraud driver. Two countries reported attempted ‘Forced Post’ fraud, possible when some point of sale (POS) terminals allow the ‘force sale’ functionality. One country reported a new form of malware on android mobile phones, distributed with a fake application uploaded from third-party android stores. Another country reported cases of SIM swap fraud, where fraudsters authorise a bank transfer by switching the customer’s mobile phone number over to a new SIM and intercept the authorisation message. To date in 2018 the EAST Payments Task Force (EPTF) has published five Payment Alerts covering phishing, malware on mobile phones, fraudulent mobile Apps and CNP fraud.

ATM malware and logical security attacks were reported by nine countries. Five of the countries reported ATM related malware. In addition to Cutlet Maker (used for ATM cash-out) a new variant called WinPot has been reported – this is used to check how many banknotes are in an ATM. Six countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published seven related Fraud Alerts. To help counter these threats Europol, supported by EAST EGAF, has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’. It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks. This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by fourteen countries. For the first time one country reported the arrest of a Chinese national in connection with such attacks. The usage of M3 – Card Reader Internal Skimming devices remains most prevalent. This type of device is placed at various locations inside the motorised card reader behind the shutter. Six countries reported such attacks. One country reported the use of M2 – Throat Inlay Skimming Devices. Skimming attacks on other terminal types were reported by five countries, four of which reported such attacks on unattended payment terminals (UPTs) at petrol stations. To date in 2018 EAST EGAF has published ten related Fraud Alerts.

Year to date International skimming related losses were reported in 31 countries and territories outside SEPA and in 3 within SEPA. The top three locations where such losses were reported remain Indonesia, the USA and India.

Three countries reported incidents of Transaction Reversal Fraud (TRF), two of which reported new attack variants. To date in 2018 EAST EGAF has published four related Fraud Alerts.

Ram raids and ATM burglary were reported by eight countries. Six countries reported explosive gas attacks, one of which reported such attacks against ATS machines for the first time. Another reported that explosive gas attacks against ATMs have started for the first time. Five countries reported solid explosive attacks. The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings. To date in 2018 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published five related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

Subscribe to EAST Monthly Updates

The twelfth meeting of the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) took place on Wednesday 4th September 2019 in The Hague. EAST EGAP is a European specialist expert forum for discussion of ATM and ATS related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated […]

Act now to save your place for the ATM Physical Attacks Seminar that will be held by the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) on 9th October 2019. ATM PHYSICAL ATTACKS SEMINAR- PROGRAMME UPDATE Sarah Staff of SaferCash will provide a National Threat Assessment for the UK and will also co-Chair […]